How to not click on dodgy links

Lessons from the science of 'clickology'

Are you a busy person? Over sixty? Fairly computer literate, although not an expert? Are you agreeable open-minded, and good at making quick, reflexive decisions?

Then I have some advice. Do not answer any email or SMS from anyone in a position of authority. Ever.

You are the ideal victim of a phishing attack, and you are the most likely to fall for it.

You probably think I already write about the subject of phishing emails enough. (Here, here, and here). Personally I don’t think that I (or anybody else) writes about it nearly enough. There should be entire university courses, books, lectures, TV programmes dedicated to the issue. Perhaps a generously funded government unit whose sole purpose is working out why people click on phishing links, and advising how to stop it.

(Here comes the short explainer paragraph, which you can skip if you know what phishing is. The word was first used in 1996 to mean  ‘a scam by which an internet user is duped into revealing personal or confidential information which the scammer can use illicitly.’ 

Usenet group ‘AOHell’. An early hacker forum where the phrase phishing was invented.

It typically involves an email or SMS purporting to be from some organisation. Let’s say it’s “Booking.com” explaining there has been suspicious activity on your account and you need to re-enter your personal details. The message will include a malicious link which looks like it’s from Booking.com, but is in fact fake.  And – oops! – now you’ve entered your password and username, and the criminal has it. Or maybe that link could deliver ransomware which locks your computer files, and demands a bitcoin payment. There are two types. Generic phishing is spray and pray: criminals automatically send out millions of identical emails to millions of users. This is a numbers game – only a handful need to click for it to make economic sense. Spear-phishing is where a specific individual is profiled and targeted with personalised and tailored messages. OK: explainer paragraph over).

If someone would pay me, I would happily dedicate my entire career to answering one single question: how can we make people stop clicking on dodgy links. I could be the Martin Lewis of malware! And I would be very rich. Because clicking dodgy links costs the UK billions of pounds every year.

And besides, some of the smartest criminal minds in the world do dedicate every waking hour to that question.

According to one study, in 2019 at least 3.4 billion phishing emails are sent a day. The vast majority are stopped at the spam detection checkpoint run by your email provider. Go on – open your ‘spam’ folder and take a look. Amazing, isn’t it? An algorithm has – with a very high degree of accuracy – identified the scammy ones and diverted them for you. But a lot do smuggle past. Especially spear-phishing emails, which are usually written by a real person and are so much harder for a machine to spot.

And despite all the billions we collectively spend on sophisticated cyber-security software, training, back-ups, and so on, around one third of all successful cyber-attacks come via people clicking on a dodgy link. In 2020 Seventy-five per cent of all US organisations fell victims to at least one successful phishing attack. And it keeps going up. A new report just published reckons its increased by a quarter in the last 3 months alone! For all the talk of AI-powered cybercrime, ‘attack vectors’ and ‘zero-day vulnerabilities’ the humble phishing email carries on, undefeated. As everyone in the cyber-security industry knows, criminals do not mess with a winning formula.

It is a global pandemic – everywhere, always.  

Criminals never sit still. Over the past five years they have developed and sold extremely good ‘phishing-as-a-service’ products, which are essentially one-stop-shops for conducting phishing attacks on people. Like this one, LabHost. Designed to democratise phishing so anyone can do it.

Labhost, the one stop shop for phishing. All about customer service.

Everyone in the industry predicts that AI will dramatically improve the quality, precision, and quantity of phishing attacks - and make video phishing in particular far more effective. Generative-AI will make it possible to send a million personalised spear-phishing emails to a million users, ending the distinction between ‘generic’ and ‘spear’. Soon enough we won’t just be fending off scam emails from other people – but from brilliant machines.  Are we up to it?

Probably not. As every cyber-security experts says, ‘the human is the weakest link’ in a security system. And we are born clickers. We can’t help it. I’ve seen heads of IT baffled and stunned. No matter what they say, how much they warn, the training they offer – we just carry on clicking.  

What a time to be alive! People hovering cursors over hypertext and tapping a button can destroy lives, ruin careers, shatter dreams. Everyone from John Podesta being phished for Democrat emails; to your uncle losing thousands on a phoney ‘we have your parcel’ SMS. (That’s known as ‘smishing’, by the way). The chasm between action and consequence is one reason we keep doing it. It makes no sense that such an innocuous act, sitting behind a screen, could lead to such devastating results.

Fortunately there is a decent amount of good research now about who clicks and why. Analysts have run tests – some lasting months or years – on people to find why they keep making this mistake.  Most of it is published in specialist or academic papers. Which is a shame, because this is something that everyone needs to know.

But the good news is that I’m here to summarise some of it.